Ireland, along with most of the developed world, has seen a massive shift towards working from home or hybrid work in the past two years, due to the known health-related measures. But has security of the devices used kept up to pace?
A November article on TheJournal.ie, titled “We’re to ‘work from home unless it’s absolutely necessary’, so can the civil service set an example?”, quoted the Government’s advice that everyone should work from home “unless it is absolutely necessary” and told us that “The Association of Higher and Civil Public Servants (AHCPS) estimated in a survey during the summer that about 80 per cent of staff within various departments were either working remotely or were engaged in blended working”, while a July article in the Irish Times, “Civil servants could work from home up to March 2022”, commented on the speculations of the Minister for Public Expenditure and Reform Michael McGrath TD that, conditioned by public health advice and the trajectory of the pandemic, individual departments and offices would finalise and rollout their long-term blended working policies and implementation plans “from September 2021 to March 2022”.
If not working from home entirely, many organisations have adapted hybrid work as their policy, which has further complicated managing devices because in many cases the line between home devices and office devices has blurred. In a hybrid work setup, some devices may remain in the office, while others will commute back and forth. This makes limiting use to a particular network complex, not to mention finding the extra time staying on top of security. Therefore, ensuring that the migration of both personal and work devices between home and office networks is secure may require enhanced tools and practices.
ESET research in 2021 found that 80 per cent of global businesses are confident their home-working employees have the knowledge and technology needed to handle cyberthreats. However, in the same study, three-quarters (73 per cent) admitted they are likely to be impacted by a cybersecurity incident, and half said they’d already been breached in the past. The human element (falling for phishing, scams, poor password practice) and technology and cloud-specific challenges (exploits targeting unpatched VPNs, misconfigured RDP servers, vulnerabilities, and user misconfiguration of SaaS offerings, as well as reports of stolen account passwords) pose the greatest threats of cybersecurity incidents.
The good news is that security experts like ESET have been promoting best practices in security for years. While there’s no silver bullet, the following will help to mitigate cyber-risk to hybrid working practices:
- classify enterprise data flowing through the cloud and put in place appropriate controls;
- strong encryption for data residing in the cloud at rest and in transit;
- strong passwords (use a password manager);
- multi-factor authentication (MFA) for all accounts;
- restrict access to sensitive accounts with a policy of least privilege;
- prompt risk-based patching of all cloud servers and software;
- zero trust approach to reduce the impact of breaches; and
- regular staff security training on how to spot phishing and scams.
While technical measures like prompt patching are obviously vital, so are human considerations. Regular training and awareness sessions for all employees are a crucial component to enhancing any organisations cybersecurity posture. They may be the weakest link, but staff are also the first line of defence.
T: 053 914 66 00